Article ID: 197851
Article Last Modified on 10/31/2006
APPLIES TO
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q197851
SYMPTOMS
A user may have two different passwords (a LAN Manager password and a Windows NT password) without knowing it.
MORE INFORMATION
The Windows NT password may be empty if the account database was migrated from an old LAN Manager domain (for example, by using Portuas.exe). In this case, the old LAN Manager password (encrypted with DES) is taken from the old account database, and the new Windows NT password (encrypted using MD4) will be empty, because there is no way to recalculate the password from the LM database.
In Service Pack 4, security validation has changed. It is possible a user is validated only by the Windows NT 4.0 password, which can be empty if it has not been changed since the migration from LAN Manager.
For additional information on this security validation change, please see the following article in the Microsoft Knowledge Base:
147706 How to Disable LM Authentication on Windows NT
RESOLUTION
To resolve this issue, after migration, have the user change the password in the Windows NT domain. This can be achieved by setting the appropriate flags in the Windows NT User Manager for Domains. After the password has changed, both passwords (LAN Manager and Windows NT) will be kept in sync.
Additional query words: NT4SP4 security validation
Keywords: kbprb KB197851
